Hello,
i'm running a ssh server and i would like to keep an eye on users that are trying to connect to my server using wrong passwords.
available logs are : ( OK/KO )
Oct 16 23:34:40 xxxxxxx xxxxxxx[26557]: User toto@tata.fr from 127.0.0.7 authentified
Oct 17 01:53:17 xxxxxxx xxxxxxx[info] 29731#0: *322809 client login failed127.0.0.0.8, login: "titi@tutu.fr"
And i would like to know the percentage of failure per login,
I tried this aggregation
GET result-2016.10.16/_search
{
"size": 0,
"query": {
"bool": {
"must": [
{
"query_string": {
"analyze_wildcard": true,
"query": "*"
}
},
{
"range": {
"@timestamp": {
"gte": 1473334483178,
"lte": 1476698400000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
},
"aggs": {
"status_failed": {
"filter": {
"term": {
"status": "failed"
}
},
"aggs": {
"nb_docs_per_account": {
"terms": {
"field": "login",
"min_doc_count": 20,
"size": 5,
"order": {
"_count": "desc"
}
}
}
}
},
"status_ok": {
"filter": {
"term": {
"status": "authentified"
}
},
"aggs": {
"nb_docs_par_login": {
"terms": {
"field": "login",
"min_doc_count": 700,
"size": 5,
"order": {
"_count": "desc"
}
}
}
}
}
}
}
I am therefore able to know the number of failure AND success per login:
"took": 91,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 180838,
"max_score": 0,
"hits": []
},
"aggregations": {
"status_ok": {
"doc_count": 174779,
"nb_docs_par_login": {
"doc_count_error_upper_bound": 264,
"sum_other_doc_count": 165737,
"buckets": [
{
"key": "blabbla@blabla",
"doc_count": 1248
},
{
"key": "bibi@bobo",
"doc_count": 1002
}
]
}
},
"status_failed": {
"doc_count": 6059,
"nb_docs_par_login": {
"doc_count_error_upper_bound": 27,
"sum_other_doc_count": 5402,
"buckets": [
{
"key": "coucou@toto",
"doc_count": 162
}
]
}
}
}
}
However, is there a way to "join" the 2 aggreagtions using the key "login" and compute the percentage of failure ? ( ie number of failed / (number of sucess + number of failed) per login and sort it ?
Thanks
Christophe